Almost every business network today has (or will have) clients connecting to the network remotely, via dialup and/or VPN connections. In our mobile world, employees need access to network resources when they're away from the office; this includes executives who connect from hotel rooms when on the road, roaming support people who connect from satellite offices, and telecommuters who connect from home.
The ability to verify identity (authentication) is even more important for remote users than for those who are on-site, since without a secure authentication scheme anyone could get into the network and view, copy, change or even destroy important data.
The choices you make have implications for ease of administration and security as your network grows.
Remote access authentication options
Remote access servers can be configured as dial-in servers or VPN servers. Dial-in servers use the Point-to-Point Protocol (PPP) or in the case of some older servers, the Serial Line Internet Protocol (SLIP) as the link layer protocol. VPN servers can use the Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), or IPSec tunnel mode to establish a secure "tunnel" over the Internet. Windows remote access servers support the following set of authentication methods:
- Password Authentication Protocol (PAP)
- Challenge Handshake Authentication Protocol (CHAP)
- Microsoft's implementation of CHAP (MS-CHAP)
- Updated version of MS-CHAP (MS-CHAP2)
- Extensible Authentication Protocol/Transport Layer Security (EAP/TLS)
For security purposes, PAP can be excluded as a viable option for most businesses because it sends passwords across the phone line or Internet in plain text. The only reason to use PAP is if the remote access client and remote access server are not able to negotiate a more secure authentication method. Many VPN/firewall products do not support PAP because of the security issue.
CHAP is an Internet standard defined in RFC 1994. It uses a three-way handshake to verify identity. The three steps in the process are:
- The authenticator sends a challenge message to the client.
- The client responds with a value that's calculated via the Message Digest 5 (MD-5) one-way hash function.
- The authenticator also calculates the hash value and compares the client's response with its own calculation. If the values match, the connection is established.
Since the password itself is never sent over the link, CHAP is much more secure than PAP. CHAP can be used by most third-party remote access servers.
MS-CHAP is Microsoft's version of the standard CHAP method. It uses the same three-way handshake process, but is designed to be used by computers running Windows operating systems and integrates the encryption and hashing algorithms that are used on Windows networks. Version 2 adds such features as mutual (two-way) authentication of both client and server, as well as stronger encryption keys. MS-CHAP v2 is more secure than CHAP for Windows systems.
EAP/TLS provides for use of more secure authentication methods such as smart cards, Kerberos, and digital certificates, which are much more secure than the user name/password authentication methods above. It's defined in RFC 2716.
The remote access server can act as the EAP/TLS authenticator, or it can act as a "pass through," encapsulating the EAP packets and sending them to a backend security server such as a Remote Authentication Dial In User Server (RADIUS) server.
RADIUS provides for a centralized authentication database and can handle authorization and accounting in addition to authentication. Authorization refers to granting specific services to users based on their authenticated identity; restrictions can be imposed on certain users. Accounting refers to tracking the use of the network by users and can be done for billing, management, or security purposes. RADIUS is defined in RFCs 2865 and 2866.
RADIUS is supported by dial-in remote access servers, VPN servers, and wireless access points (WAPs). In addition to the authentication protocols listed above, RADIUS supports Protected EAP (PEAP) for wireless access.
Microsoft's implementation of RADIUS is the Internet Authentication Service (IAS). It's built into the Windows 2000 Server and Windows Server 2003 operating systems. Microsoft vendor-specific RADIUS attributes are defined in RFC 2548. IAS integrates with the Active Directory service and allows AD user credentials to be used for remote access (single sign-on).
Making it scalable
As your organization grows, the number of remote access users is likely to grow, as well. Managing authentication for a large number of users can become problematic. It's especially helpful to have a way to track users' remote usage in a large organization. In addition, security becomes more important as the organization grows.
By using EAP/TLS as your remote access authentication method, you ensure the most secure remote access authentication and at the same time make it easy to implement a RADIUS solution that will scale up with the growth of the network.
You can use remote access policies to control groups of users, and in a multi-domain environment, IAS allows you to use user principal names (UPNs) to identify users. This is important in large organizations with complex networks because a user can have the same UPN regardless of which domain he/she belongs to.
Windows 2003 Server Enterprise Edition's IAS implementation puts no limits on the number of RADIUS clients you can configure or on the number of RADIUS server groups you can have. Even more importantly, a single RADIUS server can support many remote access servers, so that as you add additional dial-in and/or VPN servers, their users are all still authenticated through one central point: the RADIUS server. The fact that the authentication server is separate from the access server(s) makes this both more secure and more scalable than other authentication methods.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.